19-year-old wins one million airmiles after finding United Airlines bugs


19-year-old wins one million airmiles after finding United Airlines bugs

Vulnerability researcher Olivier Beg from Amsterdam has been handsomely rewarded with one million airmiles by United Airlines, after finding some 20 security holes in the company’s software.

As the Dutch Broadcast Foundation reports, the 19-year-old has benefited from the bug bounty scheme that the airline introduced last year to encourage bug hunters to disclose their findings responsibly to the airline rather than publish them to others on the net who might attempt to exploit them.

According to reports, the most serious bug found by Olivier Beg earned the teenager a stonking 250,000 airmiles. He claims to have found vulnerabilities in software from other companies including Yahoo, Google and Facebook.

All the signs are that there is certainly the need for airlines to run such bug bounties - United has suffered in the past from hackers breaking into customers’ flight reward accounts, and has been criticised more recently for its tardy response to flaws reported in its flight reservation system.

Personally, I think it might be better if firms like United offered researchers hard cash rather than airmiles for their efforts. After all, what if you’re a bug hunter who is petrified of flying, or simply cannot stand the food on United planes? Surely you don’t want to discourage those folks from responsible disclosure…

Regardless, a bug bounty is better than no bug bounty - even if it’s only counted in airmiles.

And don’t think that Olivier Beg is now flying around the world for free. He says he didn’t have to pay for his flight Las Vegas last week, but still had to pay five Euros airport tax…

PS. My thanks to Win Remes who points out that there may be a painful sting in the tail for anyone receiving “free” airmiles:

Tags: ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts


11 Responses

  1. Simon

    August 9, 2016 at 11:41 am #

    Agreed on the rewards. Discovering bugs and bring them to the table takes integrity and intelligence, something that’s a rarity these days.

    Generous bounty rewards is likely to discourage wrongdoing and show appreciation.

  2. Mark Z

    August 9, 2016 at 12:52 pm #

    60 bucks to fly coast to coast does sound fun, thank you.

  3. Benedikt MORAK

    August 9, 2016 at 4:50 pm #

    Graham you write crap. of course an Airline will give miles, costs them far less than giving cash. and gives the people chances to go places where they for sure would-could not go otherwise. don’t like the food or have a fear of flying? don’t worry, THAT to happen with a 19 year old will be rather rare.

    • Graham Cluley in reply to Benedikt MORAK.

      August 9, 2016 at 11:43 pm #

      I’ve heard a fair few people say that they are particularly phobic of flying United. If I had a bad experience once I’d probably feel a bit miffed that I had another 940,000 airmiles with them rattling about in the bottom of my bag.

  4. Michael Ponzani

    August 9, 2016 at 11:12 pm #

    Dear Mr. Cluely:

    They can’t live without their taxes! Just listen to the Beatles, “Taxman”. There’s a remake of this live in Japan without John Lennon who went Kaput through that PP head’s gun. However, since the Beatles were the greatest drug band in history. Wilson Byrant Key wrote about this in his Subliminal Seduction books. They have been suppressed as were Dr. Antony Sutton’s books about the international financiers.
    PS. Cluely is a Great Name for sniffing out crimes!

    • Graham Cluley in reply to Michael Ponzani.

      August 9, 2016 at 11:38 pm #

      I didn’t understand most of what you wrote, but I can tell you that Cluley is an even better name.

  5. Michael Ponzani

    August 9, 2016 at 11:16 pm #

    Since the Beatles were the greatest drug band in the world…and led to the ruination of many lives, I dont’ reall care in the long run what happened to them. Probably financed by Tavistock or MK Ultra.

  6. Michael Ponzani

    August 9, 2016 at 11:17 pm #

    I can’t type for Sheiss!

  7. Rex

    August 9, 2016 at 11:27 pm #

    What type of an article opens with out of date photos of the airline, praise the young man then slams the airline. The question should be are you qualified to write or are you a poser?

    • Graham Cluley in reply to Rex.

      August 9, 2016 at 11:41 pm #

      Why shouldn’t Olivier Beg be praised for finding vulnerabilities? He was working within the rules of United’s bug bounty program ( https://www.united.com/web/en-US/content/Contact/bugbounty.aspx ) and if it weren’t for him then one can assume that someone malicious might have found the vulnerabilities and exploited them.

      In my opinion United is lucky to have people prepared to find the security holes in its systems for a fraction of what it would cost if they had bothered to find them itself.

      Out of date photos of the airline? Sorry about that. But still, hardly as dangerous as out of date software, right?

  8. Bill

    August 10, 2016 at 12:43 am #

    Complete wrong info. United miles cost about 2.1 cents per mile. So the value of 250000 miles is about $5K. That hacker got screwed. Probably could have sold the exploit for 10 times that. Oh and the excise tax is 7.5 percent. So the correct tax would be about $393 and not 20k. Since these were awarded though it’s United’s problem on the tax.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.